Full Report
The funds are linked to a widespread scheme in which fraudsters promised to pay victims if they opened a cryptocurrency account, deposited funds and reviewed products on fictitious websites mimicking legitimate brands.
Analysis Summary
# Incident Report: Cryptocurrency Theft via Remote Job Scam
## Executive Summary
Unidentified scammers orchestrated a sophisticated social engineering campaign targeting New York residents with fake remote job offers, ultimately tricking victims into purchasing and transferring over $2 million in stablecoin cryptocurrency (USDT and USDC). The New York Attorney General, in cooperation with law enforcement and stablecoin issuers, successfully froze a significant portion of the illicitly obtained funds following the victims' realization of the fraud. This incident highlights the advanced tactic of leveraging seemingly legitimate platforms and cryptocurrencies to facilitate large-scale theft.
## Incident Details
- **Discovery Date:** Unclear, but investigation/lawsuit activity began around June 2024.
- **Incident Date:** The fraudulent campaign actively ran from January 2023 to at least June 2024.
- **Affected Organization:** Multiple individual New York residents.
- **Sector:** Financial Services/Employment/Social Engineering
- **Geography:** New York, USA
## Timeline of Events
### Initial Access
- **Date/Time:** Starting January 2023
- **Vector:** SMS Text Message Phishing (Smishing) and subsequent WhatsApp communication.
- **Details:** Scammers sent text messages promising high-paying, flexible remote jobs. Victims who responded were directed to communicate via WhatsApp.
### Lateral Movement
- **Details:** The movement was not internal network lateral movement, but rather the progression of the scam: convincing victims to open accounts on legitimate platforms (Coinbase, Gemini, Crypto.com) and then transferring the purchased cryptocurrency (USDT/USDC) to wallets controlled by the scammers.
### Data Exfiltration/Impact
- **Details:** Over $2 million in cryptocurrency was stolen. Victims were tricked into making several deposits under the guise of "reviewing products" and covering fictitious costs, culminating in demands for "upgrade" fees when they attempted withdrawals.
### Detection & Response
- **How it was discovered:** At least one victim, after depositing substantial funds, contacted law enforcement when continually asked for more money to withdraw their supposed earnings.
- **Response actions taken:** The NY Attorney General’s Office, U.S. Secret Service, and Queens County DA's Office launched an investigation. Tether (USDT) and Circle (USDC) cooperated to freeze the illicit funds located in digital wallets traced by the DA's office.
## Attack Methodology
- **Initial Access:** Social engineering via text message detailing a remote job opportunity.
- **Persistence:** Maintaining contact via WhatsApp, building trust, and ensuring victims complied with multiple deposit requests over weeks or months.
- **Privilege Escalation:** Not directly applicable in the traditional sense, but financially, the scammers escalated the amount victims were convinced to deposit based on fictitious review requirements.
- **Defense Evasion:** Using legitimate cryptocurrency platforms (Coinbase, etc.) as intermediaries before the funds were moved to unknown, controlled wallets, obscuring the trail.
- **Credential Access:** Not explicitly mentioned for system access, but access to victim *financial* accounts (credit cards, bank accounts used to purchase crypto) was gained indirectly.
- **Discovery:** Scammers performed initial targeting based on population data (subsequently victimized New Yorkers).
- **Lateral Movement:** Funds moved from legitimate exchange wallets to scammer-controlled wallets.
- **Collection:** Gathering fiat currency from victims via credit cards/wires, which was immediately converted to stablecoins.
- **Exfiltration:** Transferring the purchased stablecoins from victim-controlled exchange accounts to attacker-controlled wallets.
- **Impact:** Financial loss exceeding $2 million for victims.
## Impact Assessment
- **Financial:** Over $2 million in cryptocurrency stolen/recovered. One victim lost over $100,000.
- **Data Breach:** No sensitive PII breach explicitly mentioned, but financial transaction data was exposed to the scammers.
- **Operational:** Disruption to victims' personal finances and significant time spent dealing with law enforcement.
- **Reputational:** Negative impact on the perceived legitimacy of remote job postings and cryptocurrency platforms utilized.
## Indicators of Compromise
- **Network indicators:** (None provided/defanged)
- **File indicators:** (None provided)
- **Behavioral indicators:** Unsolicited text messages promising high-paying remote work; requests to open accounts on legitimate crypto exchanges; demands for cryptocurrency deposits under the guise of "product review collateral" or "registration fees"; subsequent demands for "upgrade fees" upon attempting withdrawal.
## Response Actions
- **Containment measures:** Stablecoin issuers (Tether and Circle) froze the identified illicit funds across various digital wallets.
- **Eradication steps:** Launching a lawsuit to secure penalties and restitution; working to obtain court orders to recover frozen funds.
- **Recovery actions:** Efforts underway to claw back the cryptocurrency via cooperation with crypto issuers and law enforcement tracing ($2.2 million traced).
## Lessons Learned
- **Key takeaways:** Sophisticated social engineering remains highly effective, especially when targeting vulnerable populations seeking employment. Scammers are effectively using the decentralized nature of cryptocurrency to facilitate rapid transfers, though blockchain transparency aids eventual tracing.
- **What could have been done better:** Victims were coerced into using their own credit cards/borrowing funds to make escalating deposits, indicating greater real-time vigilance or alerts from financial institutions might be needed when frequent, large fiat-to-crypto conversions are immediately followed by transfers out of the exchange.
## Recommendations
- **Prevention measures for similar incidents:** Public awareness campaigns focusing on "job scams" that require upfront financial deposits or cryptocurrency purchases. Financial institutions and crypto exchanges should enhance monitoring for rapid fiat conversion followed by immediate external wallet transfers linked to known scam typologies. The NY AG's novel use of NFT notification should be monitored as a potential legal enforcement tool against anonymous wallet operators.